Windows 2003 domain migration 2

[rocketphoenix]

Hi,

We are planning to migrate our windows 2000 domain contoller to windows 2003..
The main Scenario is that we have a Root domain and a child domain.Our new plan is to restructure/migrate and have a single root domain.
ex.) our domain is 123.ABC.com (Windows 2000 based domain)and we want to migrate it to 123.com (Windows 2003 based)
How will we migrate without affecting the accounts (SID's)and policies that we'v been created on the 2000 environment?
Could someone help me to design and provide me the strategy on how to implement this thing.. or a whitepaper with almost same scenario..

Hoping for your help..

thanks
phoenix

 

[Stevehewitt]

Without looking into the situation and digging on by MS Ref books I don't think that this can be done as simply as that.
Because you would be doing a upgrade on the main PDC it would take the domain name with it. So unless you run DCPROMO again the domain name will stay the same.

I think that the policies, SID's etc stay the same if it's a simple upgrade from 2k to 2k3.

 

[Celestil]

Ok, the first thing you need to do is upgrade the domain controller to Server 2003. Once this is done the server will be Server 2003 in WINDOWS 2000 FUNCTIONAL MODE (Windows 2000 compatible AD DC). That means it is not using all the advanced functions that 2003 domain controllers have.

After that you would put the server in Server 2003 Functional Mode. That would make it a Windows 2003 AD Domain Controller. Once you have done that you can use the Domain renaming tools for Server 2003.

Understand, that domain renaming is only available in Windows Server 2003 Functional Mode (also called Windows Server 2003 - native mode). More than likely your server is running in mixed-mode, for either compatability with older OS's and/or simplicity.

Before you undertake this task you must realize if you are running Windows NT 4 workstations you can upgrade to Server 2003 but you CANNOT rename the domain. Changing to native-mode woule break compatability with the clients. Also, you would need to setup DNS and Time Services with native mode domains. You would have to be more specific in your enviroment. How many clients? What OS's are run? Any applications that will not run on Windows 2000/XP clients?

Here is some reading material.

Domain Renaming Tools for Server 2003

http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx

 

[rocketphoenix]

Hi.. Thanks for your reply...
This is the existing Windows 2000 active directory diagram:

* (a Placeholder)
* * Root Domain: ABC.com
* *
* * * * * * *
* *
* * Child Domain: 123.ABC.com
* * * *

This should be the outcome after the migration to Windows 2003:

*
* * 123.com
* * * *

We purchased a new 1 machine to host the newly migrated domain controller to 2003.
What possibly the best solution/migration strategy in implementing this scenario.
For some details,all clients in domain are running on win2000 pro and WinXP pro OS's.

 

[rocketphoenix]

Hi Again...
Based from what u'v said that we have to upgrade our Domain Controller to windows 2003(Is it the root that you are referrring to?) then upgrade the child domain to windows 2003 after to fully utilize the advanced function that the 2003 domain controller have...
Since the plan is to restructure into a single root domain,how will this happen while retaining the user accounts,resource and groups?

 

[Celestil]

Ok, Firstly you can test your migration by purchasing Microsoft Virtual PC or VMWare Virtual Workstation.

Secondly, you have a choice of what to do here. You can get another server. Doesn't have to be a good server just a server which you can use temporarily and CREATE A NEW FOREST CALLED 123.COM

Use the Microsoft Active Directory Migration Tool and migrate all users/groups/shares to the new consolidated domain. Move any data to the new server and test your logons. If everything is working you can rebuild one or both of your old domain controllers and make a replica DC for 123.com. This way does not require you to change your old domain and provides you with a BACKOUT plan if you have problems. Once you have rebuilt the two domain controllers to 123.com you can move the FSMO roles from the first DC to any of the other two and run DCPROMO and remove AD from your "swing server"

The second option is as follows:

Upgrade abc.com to Windows 2003 Server
Upgrade 123.abc.com to Windows 2003 Server
On abc.com Use Active Directory Users & Computers and right mouse click on abc.om and Choose Properties.
Using the "Change Mode" button change the mode of the server to "Windows 2003 Native Mode"
On 123.abc.com Use Active Directory Users & Computers and right mouse click on 123.abc.om and Choose Properties.
Using the "Change Mode" button change the mode of the server to "Windows 2003 Native Mode"
Use Active Directory Migration Tools to move your users/groups/shares to ABC.COM
Test and make sure all logins are good and shares/data can be mounted/accessed.
Use the Domain Renaming Tools for Server 2003 and rename your forest root from ABC.COM to 123.COM (This will mean your DNS namespace for your 123.ABC.COM domain controller will be 123.123.COM.
Run DCPROMO and remove AD from 123.123.COM
Run DCPROMO and add to forest root as replica server.

The second method is much more reliant on you doing it right THE FIRST TIME. If you get a VPC program you can test both methods. You dont need to rename the domain as much as you want to migrate to new domain. You are altering your DNS namespace. Domain renaming is for changing 123.ABC.COM to DEF.ABC.COM.

Good Luck

 

[rocketphoenix]

Hi Celestil,

Thanks for all your suggestions and support.... I really appreciate it all.
Based from our plan with the team,we are planning to retain the existing set-up.What we are going to do is just to replace the Server Boxes and its OS's.
One of my concern is the root domain which is the abc.com. How will we migrate the root domain to the new machine with a new OS (which is win2003)and the child domain which is the 123.abc.com (new machine w/ win2003 OS), while retaning its fuctions.
Can you pls provide me a steps or a whitepaper for this implementation on how to proceed.
Your help is very much apprerciated.

Thanks,
Phoenix

 

[NickFerrar]

If you wanted to go from 2 to 1 domain you'd have to use the ADMT to migrate the acocunt in the child domain into the parent first and then do as Celestil says with domain renaming - this is a risky process though and breaks things like Exchange.

If you are retinaing your root-child domain structure then to upgrade the domains to Windows 2003 you first have to chose between in-place upgrades or rebuilds of your DCs.

I'm going through this process myself and have chosen to do rebuilds as I want a clent build and there's some security improvements over in-place upgrades. If you chose in-place upgrades then it's a very simple process - just upgrade each DC in turn, you first have to forestprep and domainprep to support Windows 2003 AD though.

If you're doing rebuilds then it's a lot more complicated. Personally I'm starting off with the simplest DC's, i.e. the ones that don't have FSMO roles etc. If you only have two DC's currently with stuff spread between them I'd first start with a new DC (can just be a desktop PC if you only have it as a temporary solution), build that as Windows 2003 then DCPROMO it. Make it a GC and transfer everything but the PDCe and infrastructure master role to it.
Then you have to see what services the other DCs are offering besides authentication, in my case even our simplest DC is doing WINS, DHCP, DNS and TS licensing so it's a pain heh.
For DNS and WINS I just made the new 2003 DC a DNS/WINS server, the DNS is AD-integrated and I've made sure the WINS replication partners are correct.
For DHCP so far I've just changed the scopes so the point to the new server as primary DNS/WINS and left it run a few days to make sure clients are working OK.
Next I'm going to migrate the DCHP scopes following this article:

http://support.microsoft.com/kb/325473

I should be able to do this during the day without disrupting clients.

After that I'm going to set up the new server as a TS licence server and authorise it, we only have 3 TS servers 2 of which already are hardcoded to point to a licence server so I'll jsut change all 3 to point to the new server.

Then I'm going to get NTP time synching working on the 2003 DC and transfer the PDCe role to it.

After that it's just a case of rebuilding the existing DCs one at a time (starting with the one without the infrastructure master role) as they aren't doing anything else. In my case I'm going to keep the first 2003 DC as a production DC (it's a new decent server) so I don't have to worry about migrating everything back again but it you're using temp hardware then you need to migrate everything back to the rebuilt DCs. In my case I'll just be adjusting DHCP to reflect secondary DNS/WINS and shuffling the roles (inc GC) around again.

 

[rocketphoenix]

Hi Nick,

Thanks for your valuable reply and idea.
The direction of the migration is just to replace the old server boxes to the new one with a new OS which is Win2003.
Actually we have a root domain abc.com (just a placeholder) and we are planning to replace with a new OS and Server Box.while retaining its role. (We have 2 servers for the root domain. 1 is for redundancy.And we are planning to have 1 server box holding the root domain with 2003 OS on 1st phase.Planning to add 1 on 2nd phase).
we are also planning to replaced the boxes of the child domain. We also have 2 DCs on child domain (for authentication) 1 of those is handling DHCP and internal DNS.The plan also is to have only 1 Server Box for Child DC which will also holds the Internal DNS and DHCP.
How and What may be the best step to proceed?
we also have our external DNS.How will i migrate it in to the new server box with new OS? what tool should i be used? hope u can provide me a whitepaper or a steps on how to proceed?
Your help is very much appreciated.

 

[NickFerrar]

First you need to ADPREP both the forest then the two domains within the forest. Once this is done the schema is ready to accept Windows 2003 DC's.

I'd then start with the root domain as that seems the simplest in your case. From your previous post it seems like you have a new server available for the root domain, in which case just build that with Windows 2003 then DCPROMO it to become a DC. Then list all the services the other DCs in the root have, such as FSMO roles, GC and DNS etc. then pick one of the Windows 2000 DCs and transfer all the services to your new 2003 DC. Once all are transferred then DCPROMO to demote the old DC then just rebuild the 2000 DC as a 2003 server, clean out any remaining AD metadata for the old DC and DCPROMO it back.

Then you jsut repeat this for the other DC and the child domain DCs. DHCP can be tricky but the article I referenced before provides a good step-by-step procedure. DNS (internal) is relatively straight-forward, just remember to redirect clients to the new internal DNS server during the migration. Not sure what you mean about your external DNS, where does this sit and what's it for (i.e. are you talking about DNS on a DMZ or about your ISP's DNS?).